Threat Response – Microsoft Remote Code Execution Zero day in Windows

10-09-2021

In  the last days more information has been provided on a remote code execution vulnerability in multiple Windows versions, through Office 365 and Office 2019 documents [1, 2, 3]. The vulnerability is in MSHTML, the browser rendering engine that is also used by Microsoft Office documents. The vulnerability is gathering a lot of online attention and Northwave wants to provide you with appropriate information regarding the CVE.

Description

In  the last days more information has been provided on a remote code execution vulnerability in multiple Windows versions, through Office 365 and Office 2019 documents. The vulnerability abuses MSHTML and ActiveX combined with macro’s. For a standard configuration, abusing the vulnerability requires manual circumvention of the security measures by the user. The zero-day vulnerability is tracked under the following CVE-number:

Threat actors are currently trying to abuse this vulnerability through malicious Office documents, sent as attachments. Northwave sees a limited risk in this vulnerability, since the default settings of Office always open files with Protected View mode or Application Guard. The malicious code can’t run automatically in  Protected View mode or Application Guard, this would require a manual override.

Impact

If the attack succeeds, the attacker can run code with the same rights as the curent user. Therefore we assess the impact as high.

Risk

The vulnerability can’t be easily abused if the standard configuration is used, so we estimate the risk as medium.

Mitigation

As there is no security update available at this time, Microsoft has provided the following workaround – disable the installation of all ActiveX controls in Internet Explorer. For more instructions, see [4].

Both ESET and Microsoft Defender for Endpoint (version 1.1.18500.10 and up) have detection capabilities for the vulnerability. Microsoft Defender for Endpoints automatically blocks the abuse of the vulnerability, for ESET this mitigating measure is still being tested.

In general, the advice to only open attachments that you expect to receive stands.

What will Northwave do?

Northwave is researching the possibilities of monitoring for exploit attempts outside of ESET and MDE. When possible, we will add these capabilities to the Northwave Detection Platform.

Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. If you need additional information you can call us by phone or send us an email.

E-mail: [email protected]
Do you have an incident right now? Call our CERT number: +31 (0)85 043 7909 or 0800-1744 (alleen vanuit Nederland)

Disclaimer applies, see below.

Sources

[1]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40444

[2]: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444

[3]: https://www.trendmicro.com/en_us/research/21/i/remote-code-execution-zero-day–cve-2021-40444–hits-windows–tr.html

[4]: https://www.bleepingcomputer.com/news/security/microsoft-shares-temp-fix-for-ongoing-office-365-zero-day-attacks/

Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.